Manage Roles
Use the Manage Roles page to create, change, or delete roles. You can also manage role membership and role hierarchy.
The role hierarchy defines a parent-child
relationship between an organizational role and its child roles. A child role itself is an
organizational role.
The user members of a child role inherit
the following attributes from the parent role:
When a child role is removed from a parent role, the entitlements
associated with the parent role might be removed and are no longer inherited by the members of the
child role.- The entitlements associated with provisioning policies
- The permissions associated with the Access Control Items (ACIs)
- The ability to participate in workflow activities
You cannot delete a role that has user members or child roles. You must remove all of the users and child roles from the role before you can delete it.
You cannot delete a static role that is associated with a separation of duty policy or a provisioning policy. You must first remove the static role from the role separation list in the policy.
- Search information
- Type information about the search. If you do not type a value in this field, or if you type an asterisk (*) and click Search, the entire list of search results is displayed if the number of results does not exceed the search limit.
- Search by
- Select the search category.
- Role name or description searches for a role with a name or description that contains text that is entered in the Search information field.
- Business unit searches for a role that is associated with a business unit that contains text that is entered in the Search information field.
- Roles table
- Lists the roles that match the specified search criteria. To sort the table by a specific column, click the arrow in the column heading. The table contains these columns:
- Select
- Specifies a role. To select one or more roles, select the check box next to the role. To select all roles, select the check box at the top of the column.
- Name
- Identifies the name of the role. Click the icon () next to the role name to display the tasks that can be carried out on
the role:
- Change
- Click to change the role membership or entitlements.
- Delete
- Click to remove the selected role from the system.
- Manage User Members
- Click to see which users are members of the selected role, or to manage membership of the selected role.
- Manage Child Roles
- Click to see which roles are children of the selected role, or to manage membership of the selected role.
- Add User Members
- Click to add users as members of the selected role. This choice is not available for dynamic roles.
- Add Child Roles
- Click to add roles as children of the selected role. This choice is not available for dynamic roles.
- Manage Provisioning Policies
- Click to manage provisioning policies associated with the selected role.
- Transfer
- You can transfer static and dynamic roles to the business unit that is under the same
organization root. Following are a few restrictions for role transfer activity:
- Roles cannot be transferred across different organization hierarchy.
- Static and dynamic roles cannot be transferred together.
- When dynamic roles are transferred, old entitlements might be lost. A user entitlements or membership is recomputed based on the new business unit under which the dynamic role is transferred.
- Roles to be transferred must contain an Access Control Item (ACI) granted for the
Modify
operation.
- Description
- Provides additional information about the role.
- Business Unit
- Identifies the business unit to which the role applies. Click the link for more information about the business unit.
- Role Type
- Indicates whether the role is static or dynamic.
- Access Status
- Access status for the associated role. Access status displays the following values:
- Access Enabled
- Access is defined and enabled.
- Common Access Enabled
- Access is defined and enabled as common.
- Access Disabled
- Access is disabled or undefined.
- Access Type
- Access type for the associated service.
If the table contains multiple pages, you can:
- Click the arrow to go to the next page.
- Type the number of the page that you want to view and click Go.
You can use these buttons:
- Create
- Click to create a role.
- Change
- Click to change the role membership or entitlements.
- Delete
- Click to remove the selected role from the system.
- Export Access Data
- Click to open the Export Access Data page, and export the role access data. The Export Access Data button is not active until you select some accesses to activate it. Only the role access that you selected are exported.
- Import Access Data
- Click to open the Import Access Data page to import the access data for a role access. You can also import access data for a set of roles.
- Enabled Access
- Click to enable access for the selected roles.
- Disable Access
- Click to disable access for the selected roles.
- Refresh
- Click to update the list of items in the table.